it doesn't check for the code to be valid, so it's very easy to get the directory structure, can't change that... (Though I might make it filter the directory later)

I fixed all except one:
<?php
print `ls`;
?>

now this is something of PHP I was not familiar with, can I get a link to some documentation on that? does it only work with `?

Would blocking the ` character outside of strings suffice?

Thanks for the input, guys!

Edit: Session and cookies are left on intentionally, because my server does not story any sensitive data in it. If I ever get to the release of this tool, they will be blocked (currently the lines blocking them are commented out)

Ok, huge update! Custom functions are now allowed. That means a new area that can possibly be exploited. To minimize damage for when it's exploit when actually being used in the wild, I added a function blacklist. If you are able to bypass a harmless function that is not allowed, make sure to report it anyway!

it only allows a whitelist of PHP functions, but it also allows custom functions with any name, so these specific names are blocked in case anyone ever defeats the filter, as a "just in case" damage minimizer

Oh those are all true, but they don't affect PHP. In the version offered for download, the function (amongst others like setcookie) will be blocked, but I like testing it under the worst possible conditions.

So while you're right, it's not the right kind of concern right now. Thanks, though.

I also updated it, it now allows mathematical operators and = in front of (, source is in the post up there